Next Generation Wireless Recon, 
Visualizing the Airwaves 




Joshua D. Abraham 
-GISKismet/Perl 

Ben Smith 

- Airqraph-nq / Python 




^H About Us 

Jabra AKA "Joshua D. Abraham" 

-Security Consultant 

-Penetration Testing, Web Application 
Assessments and Wireless Audits 

-Works on many Open Source Projects: 

• Backtrack LiveCD, Fierce, Nikto and PBNJ 

TheXlle AKA Ben Smith 
-Network Engineer 

-Contributes to 

• Backtrack 






^^^h Agenda 

• Current Wireless Tools / Methods 

• Our Goals & Implementations 

• Screen Shots & DEMO(s) 

• Future Work/QA 






^H| Wireless Recon 

Special Thanks to: 
-Mike Kershaw "Dragorn" 
-Thomas d'Otreppe "Mister_X" 
-RBG "Graphic Arts" 

-The Folks that make Shmoocon possible 
Ph33rthemM 






^H| Wireless Recon 

Kismet (stable, devel and newcore) 
-Recon and Enumeration 
Aircrack-ng 
-Cracking WEP and WPA 
Netstumbler 
-(some people still use windows) 






^^■nf Kismet 

Locate / Identify AP(s) 

-BSSID, ESSID, Channel and Encryption 

-GPS data 

-Much much more.... 

Locate / Identify Client(s) 
-MAC Address 
-Manufacturers 

Spectrum analysis 

Drones / open-source WIPS 






Aircrack-ng 



Suite of tools for wireless testing 

- Mostly thought for wireless cracking 

- Can also be used for wireless recon 
-IE Airodump-ng 






H Types Recon Data 

Kismet-(stable|devel) 
-Txt, CSV, XML, GPS and pcap 
Kismet-newcore 
-Txt, NetXML, GPS and pcap 
Aircrack-ng 
-CSV, pcap 
-XML "coming soon" QUOTE "Mister_X" 






Current Visualization Recon 

Gpsmap (ancient) 
Pykismet 
Kismet-earth 
kisgearth 






Limitations of Current 
Visualization Tools 

None work with Kismet-newcore 

None work with Aircrack-ng 

Flexible representation of specific 

information 

-Total flexibility in the generated graphs 






^■^h Agenda 

• Current Wireless Tools / Methods 

• Our Goals & Implementations 

• Screen Shots & DEMO(s) 

• Future Work/QA 






Goals - GISKismet 

Building Visual Representations of 
Kismet data 

Store information from: 
- Kismet-devel and Kismet-newcore 
Correlate information in database 
Graphically represent information 
Filter out non-useful information 






^H GISKismet- .01 

Initial PoC - Spring 08 

Only worked with Kismet-devel CSV 

Mapped data to SQLite 

Several tools 

-Create database 

-Insert data 

-Query database 

No filtering of the input data 






^H GISKismet- .02 

Redesigned as single tool 
Parse Kismet logs 

- Kismet-devel 

- Kismet-newcore 

SQLite database 






GISKismet - Filters 

Input filters 
•AP configuration data 

•Query filters on any information 

• AP configuration 

• Client information 

• GPS coordinate(s) 






GISKismet - Filters(2) 

Filter input 

-Insert all AP(s) on channel 6 named 
Linksys 

Filter output 

-Output all AP(s) without Encryption 






Goals - Airgraph-ng 

• Started back in November 2008 

• Wanted to learn python 

• A visual way to see airodump-ng 
data 

• Specific graph types 

• Client Focused 






Airgraph-ng - Graph Types 

CAPR (Client AP Relationship) 

-Shows links between Access points and 
Clients 

- Focus more on clients then Ap's 

- Only Ap's with clients get graphed 

• This can lead to smaller graphs then you are 
expecting 

- Keeps basic statics of the mapping 

• Total number of clients assoicated 

• Number of clients per AP 

- Color Based coding of each AP 

• Red = Open 



• Yellow = WEP 

. r^roon = VA/PA / VA/PA? 






Airgraph-ng - Graph Types 

• CPG (Client Probe Graph) 

-Graphs links between clients and probe 
requests 

- Probes are shown in blue 






Airgraph-ng - Maltego 
Support 

Maltego with local transform support 

Custom Scripts written by 
AndrewMohawk 

Runs on both Windows and Linux 

Multiple types of transforms AP to.... 
-ESSID 

-BSSID 
-Clients 
-Ip's 






^^^h Agenda 

• Current Wireless Tools / Methods 

• Our Goals & Implementations 

• Screen Shots & DEMO(s) 

• Future Work/QA 






Screenshots - GISKismet 
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Search 
Places 



^ □•$ My Places 
0Q Temporary Places 

l& 0^5* Linksvs APs on Chan 6 w! No Encryption 

select* from wireless WHERE ESSID='linksys' 
AND Channel='6'AND Encryption='None' 

- £ linksvs 

BSSID00:1A:70:F4:C1:B5 
channel: 6 

0£ linksvs 

BSSID00:1A:70:F4:87:E6 
channel: 6 

0£ linksvs 

BSSID00:1A:70:F1:C1:BB 
channel: 6 

£T linksvs 

BSSID00:18:39:52:F7:E2 
channel: 6 

$ linksvs 

BSSID00:1A:70:EC:23:23 
channel: 6 

0£ linksvs 

BSSID00:0C:41:3E:33:64 
channel: 6 

'■' linksvs 

BSSID00:0F:66:24:0B:9B 
channel: 6 

$ linksvs 

BSSID00:1C:10:36:D4:E2 
channel: 6 






DEMO - GISKismet 






Screenshots - Airgraph-ng 
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DEMO -Airgraph 



CAPR Graph 

- Demo 
CPG Graph 

- Demo 
Maltego 

- Demo 






^■^h Agenda 

• Current Wireless Tools / Methods 

• Our Goals & Implementations 

• DEMO(s) 

• Future Work / OA 

• World Domination! 






^H Future Work 

Easier / Additional filters 
Graphic engines 

• Maltego 

• Google Earth 

• Additional /Alternative engines 






Future Work - GISKismet 



• Access Point Location correction 

-Single AP / Multiple APs 
-Multiple Log files 
-Tracking overtime (think PBNJ) 
-Correctly pinpoint location 

• GIS fully incorporated 
-Spatial data representations 

• Alternative graphing software 

-GoogleEarth requires net 






Future Work - Airgraph 

• Show all data in a single graph 

• Smaller images 

• More graph types 

• Filtering engine 

- Time aware 

- GPS Support 

- Grouping based on channel or encryption type 

- Bssid / Essid Filters 

• Kismet newcore Support 

• Better statistics about the graph 



*B 



Questions?? 






^^■Where to Find us 

Joshua D. Abraham 

Ben Smith 
-thexlle@gmail.com 






Oh wait, did we forget 
something??? 






Want some fresh code ? 






GISKismet .02 Released! 



http://my-trac.assembla.com/giskismet/ 






^^^h Airgraph-ng 

Currently in aircack-ng svn 



Aicrack-ng 1.0RC2 Release 
Backtrack 4 Beta 







